Your ideas, projects, opinions - podcasted.

New episodes Monday through Friday.

Welcome to HPR the Community Podcast Network

We started producing shows as Today with a Techie on 2005-09-19, 13 years, 5 months, 9 days ago. Our shows are produced by listeners like you and can be on any topic that "are of interest to hobbyists". If you listen to HPR then please consider contributing one show a year. If you record your show now it could be released in 18 days.

Introduction

Hello and welcome to Hacker Public Radio, I’m Edward Miro and for this episode I decided to record on a personal experience I had recently helping a client catch a Craigslist Scam. This will be part two in my series I’m calling “Information Security for Everyone”. As with most of the content I publish in the world of INFOSEC, my goal is to present the information in a way that a majority of people can get value from and anyone can play this for a friend, colleague or family member and make it easy for the non-hackers in our lives to understand. This particular episode shows a powerful way social-engineering can be implemented to steal money from unsuspecting victims and I will break down a few main points and red flags to look out for at the end.

A couple weeks ago I was sitting with a client when she asked me offhandedly if I’d ever sent a Moneygram before. I told her I had and ask curiously why she wanted to know. She explained that she was very excited to be adopting a puppy from online and she needed to send $350 USD to the service that ships pets across the country. This immediately caused my hacker-sense to start tingling so I probed a bit more about the transaction.

I asked if she had spoken to the seller on the phone, and she said she hadn’t. I said that seemed weird, but she assured me that the seller said it had to do with her religion. I wasn’t aware of any religious prohibitions to speaking on the phone that also allowed using Craigslist, but okay. I told her that that seemed a bit fishy to me. She asserted that she thought it did too at first, but she knew it was legit because she wasn’t sending the money to the seller, it was being sent to a third party pet transportation company that the seller had had contact her. She even showed the website of the company on her cell phone, which to be blunt, to my eyes looked extremely janky. I asked her if we could sit down for a few minutes and take a look at a few details before she sends anyone any money. She reluctantly agreed and really wanted this puppy.

The first thing I asked to look at was the emails back and forth from the seller. I checked Google and all other major social media sites for the sellers name. No matches. Couldn’t Google the sellers email address due to the Craigslist email relay system. This in and of itself might be okay, we all use pseudonyms online sometimes and Craigslist is a site you might not wanna use your real name. Fine.

She then showed me the email thread with the shipping company.

The first strange thing I noticed from the emails was the link to the pet shipping company. The name didn’t match the URL in the link. You’d think a business would be able to get their own name right. I also saw that if you Googled the name given by the shipper, it’s extremely similar to a legitimate pet shipping company and indeed that legit company comes up as the first site found due to Google “fixing” our query. When you go to the link in the email however, the site itself was terrible to my eyes, but not to my client who is not as seasoned as I am at catching scams. I also showed her that the “company” didn’t have any social media presence. At all. No Facebook, Twitter, anything. Also the email address that was contacting her was reallylongcompanyname@outlook.com

She also told me she had spoken to the shippers on the phone and I asked if she still had their number. She did, but she told me she couldn’t ever get through when she called them and they’d always have to call her back. I asked for the number and called it on my phone. It was a Google Voice number! Not only that it was set to screening mode. She also told me when he did call her, he was rude and tried to get her to hurry up and send the money. I told her I was 100% confident this was a scam and I advised her to not go through with the deal.

At this point she was extremely unhappy, but felt it was still a legitimate transaction because she had pictures sent to her of not only the puppy, but of the puppy in the shipping crate at the shipping company waiting for payment to be shipped. She explained that it’s not like it was a person trying to sell dogs or from a puppy mill. It was a lady giving it away for free and the money was for was the shipping. She just didn’t see why a scammer would go to the trouble of doing that and felt the pictures were authentic. I asked her to save all the images to her device and then showed her a site she could use to do reverse image searches. Before she did it, I asked her if she agreed that if this wasn’t a scam those pictures wouldn’t exist anywhere on the internet. She agreed and each of the pictures was found at least 9 other places online. Her heart sank and she didn’t have any further rebuttals to my concerns. She knew it was a scam and I just saved her from losing at least $350 USD. Not to mention that the scammer would have also asked for more money later for “shots” and “insurance”. Who knows how far they might have gotten.

So here are the main red flags:

Seller wouldn’t talk on phone

Seller name didn’t seem legitimate

Name of shipping company didn’t match URL in email

Googling company name shows close match with legitimate company

Company website very poorly designed and implemented

Company has no social media presence

Email address of contact at company using generic email address and not a legit domain

Contact at company could only call her and she was never able to make inbound calls

Phone number of company was Google Voice number

Reverse image searches showed “proof” photos unoriginal

A few of the tricks used by the scammers in this scam to make it more successful:

Listed as adoption versus a sale to alleviate concern

Handed off to “second party” to build legitimacy

Use cute puppy pictures to appeal to emotion and overrule suspicion

Counted on target not paying attention to detail

Shipper established a sense of urgency

She was very thankful and I told her to be very careful when anyone from online ever asks her to send money. I told her in all likelihood this was probably one person the whole time, hence why the person adopting out the dog “couldn’t talk on the phone”. They were also probably not even in this country as we know many of these scams aren’t. She did say that the shippers English wasn’t good. I also told her to make she shares this experience with all her friends and family. I always feel the best way to handle someone getting caught in a scam is to be on their side and never shame them. We are all susceptible to scams and social engineering and the best way to proceed is to empower them to share what they’ve learned. I also sent her a link to an article on the BBB site about these very types of scams that I’ll also link below. She was shocked how similar her experience was to the ones explained on the article.

Well, thank you for taking the time to listen to my experience helping a client avoid getting caught in the all too common Craigslist scam. I hope this will help any non-hackers in your life and like I say in all my podcasts, I don’t claim to know all there is to know and love feedback and any opportunities to learn more or collaborate with others in the field. As with most of the research and articles I’ve written in the past, these are geared toward standard users in a business setting and are meant to be a jumping off point for further research and to be a foundation for cyber security 101 level training classes. If you like what I do, and want to have me come speak to your team, or just wanna chat, feel free to email me.

Misunderstandings about English grammar, spelling, punctuation, etc.

Hosted by Dave Morriss on 2019-02-18 is flagged as Explicit and released under a CC-BY-SA license. Tags:grammar,spelling,punctuation,word misuse,English.Listen in ogg, spx, or mp3 format.
Comments (0)

Battling with English - part 3

Some word confusions

In this episode, the third of this series, I’m looking at some words that are sometimes used in the wrong places, often being confused one with another. These words are often particularly difficult to differentiate by people for whom English is not their first language.

Long notes

As usual I have provided detailed notes and examples for this episode, and these can be viewed here.

In this episode Ken uses Fritzing tool to keep track of how a winter model village windmill is wired together. Leading to identifying the problem component.

Fritzing is an open-source initiative to develop amateur or hobby CAD software for the design of electronics hardware, to support designers and artists ready to move from experimenting with a prototype to building a more permanent circuit. It was developed at the University of Applied Sciences of Potsdam.
From https://en.wikipedia.org/wiki/Fritzing

tuturto walks through implementation of special events in web based game

Hosted by tuturto on 2019-02-13 is flagged as Clean and released under a CC-BY-SA license. Tags:haskell, yesod.Listen in ogg, spx, or mp3 format.
Comments (0)

Intro

I was tasked to write kragii worms in the game and informed that they’re small (10cm / 4 inches) long worms that burrow in ground and are drawn to farming fields and people. They’re dangerous and might eat harvest or people.

Special events build on top of the new system I explained in episode 2733. They are read from same API as regular news and need same ToJSON, FromJSON, ToDto and FromDto instances as regular news (for translating them data transfer objects and then into JSON for sending to client).

Loading

Starting from the API interface, the first real difference is when JSON stored into database is turned into NewsArticle. Two cases, where special news have available options added to them and regular news are left unchanged. These options tell player what choices they have when dealing with the situation and evaluated every time special event is loaded, because situation might have changed since special event got stored into database and available options might have changed.

eventOptions is one of the events defined in SpecialEvent type class that specifies two functions every special event has to have. eventOptions lists what options the event has currently available and resolveEvent resolves the event according to choice user might have made (hence Maybe in it).

Type class is parametrized with three types (imaginatively named to a, b and c). First is data type that holds information about special event (where it’s happening and to who for example), second one is one that tells all possible choices player has and third one lists various results that might occur when resolving the event. In this example they’re KragiiWormsEvent, KragiiWormsChoice and KragiiResults.

Current implementation of eventOptions doesn’t allow database access, but I’m planning on adding that at the point where I need it. Example doesn’t show all different options, as they all have same structure. Only first option in the list is shown:

Making choice

putApiMessageIdR handles updating news with HTTP PUT messages. First steps is to check that caller has autenticated and retrieve id of their faction. News article that is transferred in body as JSON is parsed and checked for type. Updating regular news articles isn’t supported and is signaled with HTTP 403 status code. One more check to perform is to check that news article being edited actually belong to the faction player is member of. If that’s not the case HTTP 404 message is returned.

If we got this far, news article is updated with the content sent by client (that also contains possible choice made by user). There’s no check that type of news article doesn’t change or that the option selected doesn’t change (I need to add these at later point). In the end, list of all messages is returned back to the client.

runWriterT and runMaybeT are used as code being called uses monad transformers to add some extra handling. WriterT adds ability to record data (KragiiResult in this case) and MaybeT adds ability to stop computation early if one of the steps return Nothing value.

Let’s walk through what happens when user has chosen to avoid kragii worms and keep working only part of the fields. First step is to load faction information. If faction couldn’t be found, we abort. Next amount of biological matter consumed and how much is left is calculated. Again, if calculation isn’t possible, we’ll abort. This step reaches into database and updates amount of biological matter stored by the faction (again, possibility to stop early). Final step is to check if kragii leave or not (again, chance of abort).

Loading faction has several step. Id is stored in the event is used to load planet. Planet might or might have an owner faction, depending on if it has been settled. This faction id is used to load faction data. Loading might fail if corresponding record has been removed from database and planet might not be settled at the given time. Any of these cases will result Nothing be returned and whole event resolution being aborted. I’m starting to really like that I don’t have to write separate if statements to take care of these special cases.

Amount of biological matter in store is stored in faction information. If it’s zero or less, Nothing is returned as there’s nothing to do really. In other cases, amount of biological matter left is calculated and result returned in form of ( cost, biological matter left ). I’m carrying around the cost, as it’s later needed for reporting how much matter was removed.

destroyCrops updates database with new amount of biological matter in store for the faction and records amount of destruction in CropsDestroyed. tell requires that we have Writer at our disposal and makes recording information nice and easy.

Final step is to roll a percentile die against given odds and see what happens. In case of Success, we record that worms were removed and value of function will be Just RemoveOriginalEvent. If we didn’t beat the odds, WormsStillPresent gets recorded and value of function is Just KeepOriginalEvent. Return value will then be used later to mark special event handled.

resolveEvent resolves event based on choice user maybe made (this is what we explored earlier in the episode). Depending on the result of resolveEvent, event gets marked to handled and dismissed. In any case, a news article spelling out what happend is created and saved.

Result article creation is abstracted by ResultReport type class. It has single function report that takes parameters: database key of the faction the event concerns of, current time, special event that was processed, choice that was made and list of records telling what happened during resolution. It will return News that is ready to be saved into database.

essentially take event, choice and results and build a string explaining what actually happened

<> is monoid operation for combining things, here used for text

Instance declaration is pretty long, because there’s many different cases to account for and by definition they’re all pretty verbose. I have included it in its entirity below, as it might be interesting to glance over and see different kinds of combinations that resolution might create.

While there are still pieces left that need a bit work or are completely missing, the overall structure is in place. While this one took quite a bit of work to get working, I’m hoping that the next special event will be a lot easier to implement. Thanks for listening the episode.

Easiest way to catch me nowdays is either via email or on fediverse where I’m tuturto@mastodon.social

More about the software I use regularly on Linux

Good day to all in HPR land, this is Tony Hughes coming to you from Blackpool in the UK again. This is a second instalment about some of the software I use on Linux Mint 19.1, on a regular basis. So without further ado lets get on with the show.

Released: 2019-01-14. Duration: 00:20:49. Flag: Clean. Tags:kodi, deluge,Sonarr,Plex,Subsonic,SpiderOakONE,Zoneminder,Borg Backup,rclone,Redshift,Audacity.
I go over a high level of my notes for the software on my Media box as it relates to TV/Movies/Music